Problembeschreibung

Multiple vulnerabilities was discovered and corrected in postgresql:

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL
8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users
to cause a denial of service (daemon crash) or have unspecified
other impact via vectors involving a negative integer in the third
argument, as demonstrated by a SELECT statement that contains a
call to the substring function for a bit string, related to an
overflow. (CVE-2010-0442).

A flaw was found in the way the PostgreSQL server process
enforced permission checks on scripts written in PL/Perl. A remote,
authenticated user, running a specially-crafted PL/Perl script, could
use this flaw to bypass PL/Perl trusted mode restrictions, allowing
them to obtain sensitive information; execute arbitrary Perl scripts;
or cause a denial of service (remove protected, sensitive data)
(CVE-2010-1169).

The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0
before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before
8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads
Tcl code from the pltcl_modules table regardless of the table's
ownership and permissions, which allows remote authenticated users,
with database-creation privileges, to execute arbitrary Tcl code by
creating this table and inserting a crafted Tcl script (CVE-2010-1170).